Higher dimensional entanglement enables QKD without perfect randomness 
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A recent paper introduces an attack on quantum key distribution protocols that exploits imperfect 
randomness and a sublinear sample size. We show that a generalized attack compromises the security 
even with a linear size test sample and device independent security considerations. We explicitly 
derive the sample size needed to retrieve security as a function of the randomness quality. We 
demonstrate that exploiting features of genuinely higher dimensional systems one can reduce this 
weakness and provide device independent security more robust against weak randomness sources. 
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Quantum cryptography is one of the most promi- 
nent applications of quantum information theory. It 
enables a level of security in key distribution that is 
unparalleled in classical information theory, as a suc- 
cessful eavesdropping would violate fundamental laws 
of quantum physics. This is true at least in theo- 
retically perfect settings. Apart from specific attacks 
targeted at imperfect technical implementations, such 
as e.g. low efficiency detectors have shown that there 
is still a lot of room for improvement until the ap- 
plication is perfected. The original proposals how- 
ever were still making a lot of strong assumptions on 
the systems used for cryptography. One can group 
these approaches in two classes. Prepare and measure 
quantum key distribution (QKD) utilizes the fact that 
measurement is not possible without disturbance in 
quantum physics (the first protocol was proposed in 
Ref. [l|). The strong assumption here is that one is 
in perfect control of the source and measurement ap- 
paratuses. Indeed it was shown that security can be 
compromised if the source of the information carriers, 
or the measurement apparatuses used for interacting 
with them is manipulated 0,13]. In the second type of 
protocols entanglement is used to establish a secure 
key, which due to the limited shareability of quan- 
tum correlations provides security even if the source 
of entangled states is in the hands of an eavesdrop- 
per (the first such protocol was proposed in Ref. 0]). 
Also in this case however it is possible to break the 
security of the protocols if the eavesdropper also has 
manipulated the measurement devices. Fortunately, 
using device independent verification of entanglement, 
one can overcome this flaw and recent works have fo- 
cused on device independent quantum key distribu- 
tion (DIQKD) (see e.g. Refs. 0,0]). 
All device independent proposals so far have used as- 
sumptions about a perfectly uniform randomness be- 
ing readily available. In Ref. it was shown that even 
a slight imperfection in randomness generation leads 
to a possible loophole and even entanglement based 
protocols can be compromised. This loophole however 
originates in the sublinear size of the test sample. 



The attack of Eve in that paper assumes that Eve 
is responsible for the bad randomness and can use her 
knowledge of the bias to guess with high probability 
in which rounds the security check will be performed 
and thus remain undetected. However, this is only 
one of the points where the randomness enters the 
protocol. The other is the choice of the measurement 
settings. As we will see the bad quality of randomness 
used there has a big impact on the security. In this 
paper we generalize the attack from Ref. and show 
that the security of the DIQKD can be compromised, 
even when using a linear test sample, if Eve exploits 
the min-entropy loss in both the choice of the settings 
and the test sample. 

We show that below a certain threshold of random- 
ness quality key generation is no longer possible with 
qubit protocols. Furthermore we propose a scheme 
that overcomes this weakness by considering genuinely 
high-dimensional entangled systems, that are readily 
available in quantum photonics (sec e.g. Refs. [10l — 

This paper is structured as follows: First we present 
the scenario that we are working in and the protocol 
that the parties are using. Then we derive the min- 
imal violation of the Bell inequality used as a secu- 
rity parameter as a function of min-entropy loss rate. 
Next we prove the necessity of a feature that any QKD 
protocol must have in presence of bad randomness: a 
linear size of the test sample. Then we find the suffi- 
cient size of the sample for CGLMP [r| testing. We 
end with discussing the implications of our work and 
the open problems. 

To start let us first specify the setting. Alice and 
Bob want to share a secure key. They implement a 
protocol under the following conditions 

1. Potentially compromised measurement appara- 
tus. Alice and Bob have access to quantum 
measurement devices, which they cannot trust. 
However, following 0], we assume that the ob- 
servables measured in the different runs com- 
mute. 
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2. Potentially compromised source of multidimen- 
sionally entangled quantum systems. 

3. No pre-existing secret key: This is very impor- 
tant. If Alice and Bob have some shared secret 
bits they could use it as a randomness source 
with perfect randomness. 

4. Bad randomness: Alice and Bob have poten- 
tially compromised sources of randomness. The 
min-entropy loss rate of their is L. We assume 
that the randomness generators of Alice and 
Bob can be correlated. 

5. An authenticated classical channel. 

Now we specify the protocol that they arc going 
to implement. It is the standard DIQKD one. Two 
communicating parties are going to use the CGLMP 
[l5j | inequality violation as their security parameter. 
To estimate the violation each party has to randomly 
choose one of the settings a = 0, 1 for Alice and b = 
0, 1 for Bob. To generate the key Bob will use a third 
setting 6 = 2 which gives him outcomes maximally 
correlated with Alice's when she chooses a — 0. The 
protocol has N runs. First Bob randomly chooses a 
subset of fN of runs where the parties estimate the 
parameter. In this subset he chooses settings 6 = or 
1 randomly. In the remaining (1 — f)N runs he uses 
6 = 2. Alice chooses a = or 1 randomly in all the 
runs. 

After the measurements for all the runs are com- 
plete Bob announces the cases which he used for pa- 
rameter estimation. The parties announce the settings 
and outcomes for all of these runs and use them to es- 
timate the value of the CGLMP inequality violation. 
In the remaining (1 — f)N runs Alice announces when 
she has chosen a = 1 and the parties discard these 
runs. Only the cases when a = and 6 = 2 arc used 
to generate the key. 

This protocol is quite standard for DIQKD apart 
from the fact that usually only a number of runs sub- 
linear in N is used for the parameter estimation. The 
reason why we need a sample of linear size is the bad 
randomness in the possession of the parties. From 
Q we already know that Alice and Bob cannot have 
any secure protocol with a smaller test sample under 
these conditions and we give the explicit proof for the 
DIQKD scenario in the appendix II Al 

In order to analyze the protocol we take the same 
approach as Ref. |8| in quantifying the imperfection of 
the randomness using the min-entropy loss rate. Let 
(M, 6) denote an imperfect source of randomness that 
creates strings of length M , according to a probability 
distribution with min-entropy 6. We quantify the bias 
of the source by the min-entropy loss rate denoted 

t _ M-b 

L - ~TT- 

The protocol described above generates sifted key 
which can be later turned into the secret key via clas- 
sical privacy amplification and error correction proce- 



dures. Though these procedures also require random- 
ness their analysis falls outside the scope of this paper 
and we are interested in the most general attack on 
the " quantum" part of the protocol. First let us focus 
on the randomness in the choice of the settings. 

The min-entropy loss rate L is the resource that 
the adversary uses to attack the protocol. It can be 
directly related to her probability of guessing the set- 
tings in each round of the protocol. For clarity, we 
can divide the guessing in two parts. The first is de- 
ciding whether 6 = 2 or, in other words, whether this 
round is used for parameter estimation. The second 
is guessing the measurement settings in each round. 

The goal of Eve is to learn as much of the sifted 
key as possible while remaining undetected. When 
6 = 2 then the adversary aims at maximizing her cor- 
relations with Alice. If 6 < 2 her aim is to hide her 
interference. The limits of her resource make it im- 
possible to know the value of 6 in every round. Since 
the strategy optimal for 6 = 2 gives her more informa- 
tion about the key than the one for 6 < 2 the optimal 
attack is to use the strategy for 6 = 2 even in some 
rounds used for parameter estimation provided that 
she can avoid detection. 

The strategy optimal for 6 = 2 is to prepare a prod- 
uct state (its details are discussed later) but if L is 
large enough we will see that it becomes also the opti- 
mal strategy for 6 < 2. In this case we have no hopes 
for security. 

Our protocol has two important parameters: the 
amount of CGLMP violation and the fraction / of the 
rounds used for parameter estimation. Now we find 
the lower bounds for both of these as the functions of 
L. 

In the device independent protocols the key ingre- 
dient is the parameter estimation phase where the 
parties estimate the violation of the Bell inequality. 
However to test it some randomness is required. To 
our knowledge, in all the works on device independent 
protocols it is assumed that this randomness is per- 
fect. The attack presented in Q used only the fact 
that bad randomness can let Eve to choose a sub- 
set of runs where she knows that they are not used 
for parameter estimation. But bad randomness of the 
settings leads to the increase of the local bound which, 
in turn, leads to another loophole in quantum cryp- 
tography Though, apart from [l6| there have 
been other works that studied the dependence of the 
local bound on the input randomness, they have been 
either restricted to CHSH [l?} or the randomness was 
measured in the terms of conditional Shannon entropy 
1811 . Therefore, we need to adapt the methods from 
18[ to find the local bound on CGLMP as a function 
of the min-entropy loss rate. 

We start by expressing CGLMP in a "normalized" 
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form 

i (P(A < B\a = 0, 6 = 0) + P(B < A|a = 0, b = 1)+ 

P(A <B\a = l,b = l) + P{B <A\a=l,b= 0)) < 

(1) 

where a and 6 denote the settings of Alice and Bob 
respectively and A and B their outcomes. It is a nor- 
malized variant of CGLMP first introduced in [l9l |. 

One approach to Bell inequalities is to treat them as 
nonlocal games. We can think of the parties receiving 
their inputs from the referee who assures them that 
they arc chosen according to uniform probability dis- 
tribution. He can, however, be wrong or lying. What 
happens then is Alice and Bob playing the game with 
the strategy optimized for the uniform distribution of 
settings while they are not. Effectively, they are try- 
ing to violate inequality 

PooP(A <B\a = 0,b = 0)+p 01 P{B < A\a = 0,6 = 1) + 
PioP{A < B\a = 1, b = 1) + pnP(B <A\a=l,b = 0) 

< R, 

(2) 

where Pij is the probability of Alice getting setting i 
and Bob j. Furthermore, these probabilities change 
each round. In the appendix II Bl we prove that the 
optimal violation that can be achieved with product 
states for a given min entropy loss rate L is given by 



log 3)' 



(3) 



This bound is plotted on Fig Q] and it becomes the 
crucial local bound that Alice and Bob need to violate 
if they want to have a chance for security. 

However violating the local bound is only a neces- 
sary condition for the security. It is known Q that 
the key rate in the DIQKD protocol with commut- 
ing obscrvables secure against general attacks is lower- 
bounded by 



key 



(4) 



where H QO (A\E) is the min-entropy rate of the Alice's 
bit of key conditioned on Eve's information, N pu b the 
amount of communication in the error correction and 
privacy amplification phases and N^ey the length of 
the key. In the appendix II CI and II Dl wc show that 
the violation of the local bound in CGLMP inequality 
implies H oc (A\E) > and indeed we can even infer a 

lower bound H oa (A\E) > fl ° b ° 1 ~^ ( - L - ) where R b B is the 
average value of the CGLMP measured by the parties. 

Now if one assumes that the correlations are almost 
perfect whenever a = and 6 = 2, Eve is forced to 
use the states that give maximal correlation between 
the parties for settings a = and 6 = 2 as the part 
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FIG. 1: (Color online) Here we plot the maximal expec- 
tation value of the normalized CGLMP inequality ,with 
product states that are distributed by Eve, as a function 
of the min-entropy loss rate L. For comparative purposes 
we also include three exemplary violations by maximally 
entangled states of dimension d — 2, d — 4 and d — 32. It 
follows directly from this relation that if the min entropy 
loss rate L exceeds ~ 0.043, there is no hope of a secure 
protocol using qubits. 



of her strategy optimal for 6 = 2. This assumption 
here is made purely for the simplicitly of the follow- 
ing first analysis of the influence of bad randomness 
in DIQKD, however in the appendix II El we show how 
the formulas develop without this assumption. This 
strategy is in contrast with the attack proposed in 
[§| where in most of the rounds not used for param- 
eter estimation Eve tries to decrease the correlations 
between Alice and Bob. This attack can remain unde- 
tected under the assumption of sublinear sample size. 

If the violation of CGLMP is large enough we know 
that we can have a secure protocol but we still have 
to find out the size of the test sample /. 

From the considerations presented earlier we know 
that the optimal strategy for Eve is to use the strategy 
optimal for 6 < 2 in kN rounds with k < f and the 
strategy optimal for 6 = 2 in the rest of them. The 
strategy optimal for 6 < 2 is, obviously, to send the 
state that violates CGLMP the most for the given 
number of outcomes. The strategy optimal for 6=2 
is to send the product state \tp). Of course the closer 
Eve wants to bring k to /, the more min-entropy loss 
L she has to induce 



Ln — 



log (A 



)-log«) 



log 



VfNl 



(5) 



which for large N approaches 



L(k, /) = lim Ln = 
-/log(/) - (1 - k) log(l -k) + (/ - k) log(/ - k) 



Kf) 



where h(.) is Shannon's binary entropy function. 



(6) 
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At the same time the closer k is to / the larger is the 
Bell inequality violation that the parties can observe. 
In j of the rounds used to estimate CGLMP the state 
that violates it maximally for the given number of 
outcomes is distributed. Let us denote this violation 
by Rq(L,(T). In the remaining rounds the state 
distributed is \ip) and, since it is a product state, the 
maximal violation is R(L). Therefore the violation 
observed can be at most 



Robs < jR Q (L,d) + L-J?-R{L), 



which implies 



k>f 



Robs — R{L) 

Rq{L, d) — R{L) 



(7) 



(8) 



Rq{L, d) is the maximal quantum violation of 
CGLMP inequality with d outcomes and the min- 
entropy loss rate of the randomness of the settings 
L. There are no known methods of finding this value. 
However we can always bound it by the algebraic 
bound: Rg(L,d) < 1, which implies 

k>f R ^_- R ^ =k(R obs ,L). (9) 

Plugging this into ([6]) we obtain 

L>L(k(R obs ,L),f), (10) 

which can be solved for any value of L giving a lower 
and an upper bound on the fraction / of the rounds 
used for parameter estimation. There is an upper 
bound due to the fact that / is the fraction of rounds 
to be tested with the CGLMP inequality. Here Eve 
needs to make sure that she restricts most of them to 
a sample space, that she knows with certainty. Coun- 
terintuitively it can happen that if / is chosen too 
large, that this task actually gets easier for Eve, now 
succeeding with her attack. 

Now we also need to discuss another lower bound for 
/. For N — > oo this it will also be arbitrarily small 
due to infinte precision in the measurement of R bs- 
But in every practical scenario we have to face the 
fact that we only have a limited number of runs and 
Robs will always carry experimental error bars from its 
statistical deduction. So depending on the statistical 
fidelity which we aim for in a finite number of runs, we 
will have to choose a large enough fraction of N runs 
to guarantee that such a precision is possible to attain 
in fN runs. This lower bound is easy to calculate for 
any specific implementation, but as it depends also on 
the experimental settings and errors we do not present 
a detailed analysis of this lower bound. We want to 
point out, however, that it can in a realistic setting 
be significantly larger than the upper bound on / for 
qubits. 
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FIG. 2: (Color online) Here we depict the upper bound 
on the fraction / for different observed violations of the 
CGLMP inequallity R t s , for a fixed value of min-entropy 
loss rate L = 0.03. As in this case R(L) = 0.786141 
we know we need to observe a strictly larger violation to 
provide security, and we see that if the violation is high 
enough that the upper bound of / effectively approaches 1. 
For qubits d = 2 the fundamental limit is R b s < 0.801777, 
which fundamentally constrains / < 0.723026, whereas 
with d = 4 one can already reach / < 0.999416 The lower 
bound itself, despite not being sublinear is still rather 
small and would not show up comprehensively in this plot. 



In conclusion we have shown that even in DIQKD 
settings security can be compromised if the local ran- 
domness is not uniform. We explicitly derive the 
fundamental bounds on the randomness quality in 
this setting, and consequently demonstrate that high- 
dimensional entanglement is indeed more powerful 
than mere qubit entanglement. Thus we have not only 
shed light on the role of randomness in the security of 
DIQKD protocols but at the same time we have pro- 
vided a clear example where the generation of high- 
order entanglement opens up new paths in quantum 
cryptography. 

For the fundamental introduction of the protocol we 
have looked at an idealised scenario. We can however 
also apply the same reasoning without assuming per- 
fect correlations II El or also considering different types 
of entropy loss in the randomness generators. The 
basis for the improvement of the protocol remains the 
same however. A higher violation of Bcll-incqualitics 
through higher dimensions increases the randomness 
of the outcomes and strengthens the protocols, while 
a higher number of outcomes increases the key rate. 
A full analysis of different scenarios is under prepara- 
tion. 

It should also be noted that this protocol is not nec- 
essarily only usable in situations where the random- 
ness quality exceeds a bound for qubits. If the min- 
entropy loss rate is assumed small enough that the 
protocol would potentially also be achievable using 
qubit systems it still pays off greatly to use the high 
order entanglement, due to the fact that with every 
measurement multiple bits of key are generated (i.e. 
log(d) bits) and there is no downside once such high- 
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dimensional entanglement is readily available. That 
is proven by numerous recent experimental results 
that achieve high-order entanglement up to d w 50 in 
Ref . [l4| . which provides more than five bits per mea- 
surement outcome. Also there exist different possibil- 
ities for implementing such high dimensions in pho- 
tonic systems, e.g. in path (Ref. or a large fam- 
ily of orbital angular momentum (OAM) modes (e.g. 
Ref [IH). 



Acknowledgments We want to thank Sven Ramelow 
and the members of IQOQI Vienna for initial fruitful 
discussions. Furthermore we would like to thank Jan 
Bouda and Andreas Winter for insightful comments 
on the manuscript. MH also acknowledges funding 
from the FP7-MarieCurie grant "Quacocos" and MP 
acknowledges funding from UK EPSRC, FNP TEAM 
and the ERC grant QOLAPS. 



[1] C.H. Bennett, G. Brassard, in: Proceedings IEEE Int. 
Conf. on Computers, Systems and Signal Processing, 
Bangalore, India (IEEE. New York, 1984), PP- 175- 
179 (1984). 

[2] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). 
[3] I. Gerhardt, et. oZ.Nat. Commun. 2, 349 (2011). 
[4] I. Gerhardt, et. aZ.Phys. Rev. Lett. 107, 170404 
(2011). 

[5] A. Acin, et.oi.Phys. Rev. Lett. 98, 230501 (2007). 
[6] S. Pironio, et.oZ.New J. Phys. 11, 045021 (2009). 
[7] LI. Masanes, S. Pironi, A. Acin, Nat. Commun. 2, 238 
(2011). 

[8] J. Bouda, M. Pivoluska, M . Plesch and C. Wilmott, 

|arXiv: quant-ph/1206.1287| 
[9] A. Mair, A. Vaziri, G. Weihs and A. Zeilinger, Nature, 
Vol.412, 3123-316 (2001). 
[10] Ch. Schaeff, et. al. Optics Express Vol. 20, No. 10 

(05/07/2012). 
[11] M. Krenn, et. aZ |arXiv:quant-ph/1205.2514| 
[12] R. Fickler, et. al. arXiv:quant-ph/1207.2376 
[13] S. Zhao et. al, |arXiv:quant-ph/1205.08liH 



[14] J. Romero, et. ai. |arXiv:quant-ph/1205.1968| 
[15] D. Collins, 



[16] 
[17] 



N. Gisin, N. Linden, S. Massar and S. 
Popescu, Phys. Rev. Lett. 88, 040404 (2002). 
J. Kofler, T. Paterek, C. Brukner, Phys. Rev. A 73, 
022104 (2006). 

T. Lawson, N. Linden, S. Popescu, 



arXiv:quant-ph/1011.6245 



[18] M. Pawlowski, K. Horodecki, P. Horodecki, R. 

Horodecki, in: R. Horodecki, S. Kilin, J. Kowalik 

(Eds.), "Quantum Cryptography and Computing", 

IOS Press, Amsterdam, (2010). 
[19] S. Zohren, R. D. Gill, Phys. Rev. Lett. 100, 120406 

(2008). 

[20] S. Zohren, P. Reska, R. D. Gill, W. Westra, Euro- 
physics Letters 90, 10002 (2010). 

[21] M. Pawlowski, C. Brukner, Phys. Rev. Lett. 102, 
030403 (2009). 

[22] S. Pironio, et. al. Nature 464, 1021 (2010). 

[23] A. Acin, S. Massar and S. Pironio, Phys. Rev. Lett. 
108, 100402 (2012). 



J 



I. APPENDIX 



A. Impossibility of sublinear sample size 



In the protocol we use a linear size of the test sample for both CGLMP correlations and the ones for a = 
and 6 = 2. One could ask if this is indeed necessary. Because the conditions on Eve's attack and the setting of 
our protocol are substantially different from the one presented in Q we cannot use the attack presented there 
to prove the insecurity of the protocol. However we can find an attack which works, with slight modifications 
in both settings. Let us start with the device independent one. 

If the test sample is of the size V 1_a then Eve in can choose a number k such that kN > V 1_Q . Because we 
are interested in the limit of large N's k can be chosen arbitrarily small. She exploits bad randomness of the 
parties to make sure that the V 1_a rounds for CGLMP inequality testing are taken from kN predetermined 
rounds. In these rounds Eve sends the state that Alice and Bob hope to have in all of them. In the rest of the 
rounds she prepares product state = \x) a= o\x)b=2 where the indexes denote the bases. 

In this case the CGLMP inequality violation is estimated only in the rounds where the state is entangled 
and, at the same time, the correlations for a = and 6=2 are perfect in all the cases. This means that the 
parties will not detect Eve, while Hoo(A\E) < k can be made arbitrarily small for large N. 

The min-entropy loss rate in this case can also be made arbitrarily small since 



The version of this attack for the prepare and measure scenario involves Eve not interacting in kN rounds 
used to check the correlations and measuring the system in (1 — k)N rounds in a random basis and sending the 
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state that she got to Bob. It also leads to arbitrarily low min-entropy with arbitrarily good randomness. 



B. Bell inequality violation as a security check 

From [l8j we know that the local bound for the CGLMP game played with imperfect randomness is 1 — r 
where r = min a! b P(a, b). The lowest amount of min-entropy for a particular value of r is attained by the 
distribution (r, ^jp, ■^jp, ^p) ■ This leads to the local bound in the terms of min-entropy 



R < min 



{3*2- ff ~( a ' b \l} (12) 



As soon as this value reaches the quantum bound there is no possibility of the experimental verification that 
the measured state is not classical and no hopes for secure QKD. The quantum bound, however, depends on the 
dimension of the measurement system and approaches 1 as d — > oo [201 ]. This value is obtained by min-entropy 
of log 3 ks 1.585, however the critical value is smaller for any state of finite dimension. The quantum bound on 
(TT|) is 0.8177 for d = 2 and 0.8516 for d = 5 [nj, which translates to the critical min entropies of 1.875 and 
1.817 respectively. 

For the experiment repeated many times, in the i-th run the bound is R4 = min |3 * 2~ ff °°, l|, where 
is the min-entropy of the settings in the z-th round conditioned on the events from the setting generation for 
the previous rounds. Let us see how big the average R = -h X)j=i Ri can be for a given sum of the entropies 
fls = J2iLi Hoo ■ Clearly, it is pointless for the adversary to set lower than log 3 of any i as it docs not 
increase the bound. In region Hoo G [log 3, 2] R is convex so the optimal strategy is to use m instances of 
settings with entropy log 3 and M — m instances with entropy 2 where 



log3m + 2(M-m) = H s , (13) 

T^nic Ytnll rrnro +■ 

2-lo S 3 



which gives m = 2 „ M . ^? This will give the local bound 



R<lf(m + -AM-m)\=U -i |t- . (14) 



M\ 4 V /4 2(2 -log 3) 

Because the total min-entropy of the source is 



#00 = -log max P(a 1 ,...,aM,bi, ... ,b M ) (15) 

»li-,«M ,01, •••,0m 



M 



log max 1 P(ai,bi\ai-i,...,a M ,h-i,—,bM) (16) 

01 »m ,bi,...,bs,- * 



i=l 
M 



< -logTT max P(a l; 6, |ai_i, ...,a M M-U —,b M ) = F s (17) 

and 



i=l 



2M 2M 

we get 



2 M — Hnr, Hqq , . 

L= — = 1 — (18) 

oii.r our v. ) 



R A+w^) =R{L) - (19) 



C. The sufficiency of the violation of the CGLMP inequality 

Lemma 1: The violation of the local bound in CGLMP inequality implies H OQ (A\E) > 0. 

Proof. Let us assume that there exists a setting of Alice, say a = such that max^ P(A\a = 0) = 1 which 
corresponds to zero min-entropy. In such a case instead of measuring with the setting a = Alice can always just 
return the outcome which is certain without making any measurement at all. In other words, she can measure 
observable 1. In [2l| it was shown that if all the observables for one party are compatible (can be measured 
simultaneously) than no-signaling, quantum and local bounds are the same. But 1 and any observable that is 
measured for a = 1 are compatible, so the local bound cannot be violated even by no-signalling theory. QED. 
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D. Lowerbounding min-entropy of Eve 



Theorem In the scenario presented above H OD (A\E) > oh 2\ n 2 where R b s is the average value of the 
CGLMP measured by the parties. 

Proof Let us take a setting of Alice, say a = such that max^ P{A\a = 0) = p and consider a procedure 
similar to the one in lemma but with the outcome of the identity measurement set to the A for which this 
maximum is reached. From lemma we know that in this case the bound R cannot be violated. However, it still 
could be violated if for a = measurement Aq different than 1 is used. 

If the value of CGLMP for the strategy with Aq is 

PooP{A < B\a = 0,b=0) +poiP(B < A\a = 0,6 = 1)+ 
p w P(A <B\a=l,b = l)+p u P{B <A\a=l,b = 0) = Q (20) 

then the value for the strategy with 1 is at least 

p(p 00 P(A < B\a = 0, b = 0) + Pm P{B < A|a = 0, 6 = 1)) + 

p 10 P(A <B\a = l,b = l)+ pnP{B <A\a = l,b = 0)= (21) 
Q-(l-p) ( P ooP(A < 5|a = 0, 6 = 0) + P01 P(B < A\a = 0, b = 1)) (22) 

and this has to be lower or equal R. Because the outcome probabilities are bounded by 1 and the setting 
probabilities by exponent of min-entropy we get 

Q < R+ (l-p)2 1 - H ^ (23) 



or 



p< 1-2 H ~- 1 (Q-R). (24) 
In an experiment repeated M times the min-entropy rate of Eve is 



M 



i=l i=l 
M M 

> V 2 ff ~ (Qi - Ri) > V Qi - Ri 

1 

= H{L). 



> 



M 

M21n2 
Robs — R(L) 



21n2 



(25) 

(26) 
(27) 



Where in the last three inequalities we have used respectively: logarithm's power series expansion, positivity 
of min-entropy and formula (|19[) . Bound H{L) is far from optimal since the approximations made are pretty 
coarse. For a specific outcome alphabet much better bounds probably exist. 



E. Nonperfect Correlations 

In case one does not assume perfect correlations of the measurement outcomes in the rounds where Alice uses 
basis and Bob 2, due to noise in the system, the situation becomes a little more involved. The basic strategy 
of Alice, as well as the improvement from higher dimensions remains the same. 

In this case Eve's resource is still L. If it is larger than it means that some choices of the rounds where the 
correlations are tested are more probable than the others. Her choice of strategy for each is a pair of numbers the 
guessing probability p and the Bell expression expectation value I. They are connected by a relation pc < f(I)- 
It follows directly from (IM1) that 

p<f(I) = l-2 H °°-\l-R(L)). (28) 

These numbers for each round have to be chosen in advance and this choice depends on the probability dis- 
tribution of the tested rounds. Whatever the strategy Eve chooses there is a choice of the test sample which 
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is optimal, from Eve's point of view, for this strategy and for each choice of test sample there is an optimal 
strategy. 

There are two factors that Eve has to consider while choosing her strategy: The observed Bell inequality 
violation and her average guessing probability of the bit of the key. Eve's target is to maximize the latter while 
keeping the former above a certain threshold. If L < 1 then there is some uncertainty in the choice of the 
test sample and Eve cannot be sure that the choice will be optimal for her strategy. For every strategy we 
can list all the choices of the sample according to the value of Eve's target function in the decreasing order. 
Her guessing probability is the weighted average of them and the only constraint on the weights (which are the 
probabilities of choosing them as a sample) is that the largest is Pmax^ H °° = 2 M ( 1_L ) , where M is the amount of 
bits necessary for the description of the test sample. This means that the best distribution of the probabilities 
is (M,p max )-fta.t. 

Because the strategy of Eve is product, i.e. the numbers / and pc are chosen in advance for each round 
and do not depend on the actual numbers produced by the generators, it is optimal for her to concentrate her 
knowledge of the choice of the sample on the information about particular rounds rather than on the relations 
between them. In other words, it is better for her to know that the sample will be surely tested in round 1 
and with probability 50% in round 2 rather than knowing that it will be surely tested in exactly one of these 
rounds; though the min-cntropy is the same in both cases. 

Therefore the most general strategy of Eve is to know a fraction a of all the rounds when the Bell inequality 
is surely tested and a fraction b when it is surely not. If the tested fraction is / then, obviously, a < f and 
b < 1 - /. 



The min-entropy loss is 



log (f N N )~ ( (1 ( mT) 

iogQ 



(29) 



observed Bell inequality violation 



and Eve's average guessing probability 



Robs < jPqm(L) + J—jAl (30) 



Pav = Y~J H PO- ( 31 ) 

Pqm is the maximal quantum violation of CGLMP with min-entropy loss rate L. It comes from the rounds 
when Eve is sure that the testing takes place. In the rounds when she knows nothing she uses pq and / related 
by (|28p . These equations can again be numerically solved for any given pair of L and R bs to optimize the 
strategy and calculate the lower and upper bounds for security considerations. The basic mechanism behind 
the advantage of higher dimensional systems however remains the same. We plan to extensively survey these 
generalized scenarios, also including other types of rando mness loss in future publications. 



